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AGILE SECURITY; or, 

HOW TO DEFEND APPLICATIONS 

WITH FIVE-DAY RELEASE 

CYCLES 



What does "Agile" mean, 
anyway? 




The Agile Manifesto 



® Individuals and 
interactions 



® Processes and 
tools 



® Working software 



® Comprehensive 
documentation 



® Customer 
collaboration 



® Contract 



negotiation 



® Responding to change 



® Folio 



Security Development Lifecycle 

The SDL: Microsoft's industry leading software security assurance 

process designed to protect customers by reducing the number 

and severity of software vulnerabilities before release. 
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Challenges: Adapting SDL to 
Agile 

® Iterative nature of Agile 
® Projects may never end 
® Just-in-time planning/YAGNI mentality 
® General avoidance of project artifacts 
® Emphasis on project/iteration backlogs 
® General avoidance of automated tools 
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Security Development Lifecycle 
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Final security 



® SDL "Classic" phased approach 

• Fits spiral or waterfall... 

• ...but Agile doesn't have phases 





Idea: Move SDL to product backlog 



® Very Agile... 

® ...but not secure 




Idea: Do the full SDL every iteration 



® Very secure... 
® ...but not Agile 




Iterative nature of Agile 



® From the Principles Behind the Agile 
Manifesto: 



"Deliver working software frequently, 
from a couple of weeks to a couple of 
months, with a preference to the shorter 

timescale. 



Idea: Drop some requirements 



® But every requirement is, well, 
required 



®Need to keep all requirements 




® Need to reorganize into Agile 
friendly form 






SDL-Agile process 




Three classes of requirements 



Training 



Threat 
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Requirements as backlog items 



® One-time 

requirements get 
added to the 
Product Backlog 
(with deadlines) 

® So do bucket 
requirements 

® Every-sprint 
requirements go to 
the Sprint Backlog 
directly 



Set up tracking system 
Upgrade to VS2010 
Fuzz image parser 
Fuzz network parser 



Ml 



Threat model new stored 



procedures 



Run static analysis 




Agile sashimi 



® At the end of 
every sprint: 

• All every-sprint 
requirements 
complete 

• No bucket items 
more than six 
months old 

• No expired one-time 
requirements 

• No open security 
bugs over the 
bugbar 



dinner.wordpress.com 



Bug bar 



Critical 




EoP: Remote Anonymous 
Info Disc: HBI/PII 



EoP: Local Anonymous 
DoS: Asymmetric Persistent 



Info Disc: LBI 
DoS: Temporary 



Info Disc: Random memory 



Challenges: Adapting SDL to 
Agile 

® Iterative nature of Agile 
® Projects may never end 

® Just-in-time planning/YAGNI 
mentality 

® General avoidance of project artifacts 
® Emphasis on project/iteration backlogs 
® General avoidance of automated tools 



Security Incident Response 




® Because 2:00 AM Christmas morning is 
a poor time to hold a Scrum meeting... 
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® General avoidance of automated tools 



Security bug tracking 



® Must track bug cause 

• Buffer overflow 

• XSS 

• Etc 

® And effect 

• STRIDE 



® Important for bugbar criteria 



Threat modeling 



® "The cornerstone of the SDL" 



® Data Flow Diagrams (DFDs) 

• STRIDE/element 

• Mitigations 

/ 

• Assumptions 

• External dependencies 



Sidebar: Exception workflow 

LdveM 
/ Level 2 
/ Level 3 
/ Level 4 



Level 5 



Challenges: Adapting SDL to 
Agile 

® Iterative nature of Agile 

® Projects may never end 

® Just-in-time planning/YAGNI mentality 

® General avoidance of project artifacts 

® Emphasis on project/iteration 
backlogs 

® General avoidance of automated tools 



Writing secure code 



® 1 0% Writing Security 
Features 

• Cryptography^^^^M 

• Firewalls 

• ACLs 





90% Writing Secur 
Features 



Overflow defense 



Input valida 






Secure code does not featurize 
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Taskifying the SDL 



®Some are straightforward 

• Enable compiler switches 

• Run static analysis tools 



® ...some are tougher (not actionable) 

• Avoid banned APIs 




Access databases safely 




■: 



Two strategies 
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<§> Verify these things by hand (alone or in pairs) 
<§> Verify these things with tools 
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® General avoidance of automated 
tools 




Static analysis requirements 



® FxCop 
® CAT. N ET 

® PREFast (/analyze) 
® And/or your alternative tool(s) of choice 



® These are "every-sprint" requirements 




® Better still: Continuous Integration 








Dynamic analysis requirements 



® Fuzzers (homegrown) 

• File parsers 

• RPC interfaces 

• ActiveX controls 

• COM objects 

® AppVerifier 

® Passive HTTP traffic analysis 



® And/or your alternative tool(s) of choice 



® These are "bucket" requirements 
® Or CI... 





Secure coding libraries 



® AntiXss/Web Protection Library 
® StrSafe 
® Safelnt 



® Use always, check every sprint 



opinion 



This is the future of the SDL 



</opinion> 
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Strengths: Adapting SDL to 



® Bucket activities easily move in & out of 
sprints 

® Teams self-select best security activities 

® SDL versioning is simpler and more 
current 

® Each iteration is a gate 
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"Welcome changing requirements, even late 
in development. Agile processes harness 
change for the customer's competitive 

advantage. " 



Strengths: Adapting SDL to 



® Bucket activities easily move in & out of 
sprints 

® Teams self-select best security 
activities 

® SDL versioning is simpler and more current 
® Each iteration is a gate 



"At regular intervals, the team reflects on how 
to become more effective, then tunes and 

adjusts its behavior accordingly. " 
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® Each iteration is a gate 



SDL-Agile "versioning" 



SDL-Classic 



SDL-Aaile 



® Updated yearly 

® Grandfather 
clause 



® Updated at any 



Strengths: Adapting SDL to 
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® Bucket activities easily move in & out of 
sprints 
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current 
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Each iteration is a gate 




"Security and privacy are most effective when 
'built-in' throughout the entire development 

lifecycle " 



"Security is most effective when it is 'baked-in ' 

from the start" 



® This fits Agile perfectly 




The Agile Manifesto 



® Individuals and 
interactions 



® Processes and 
tools 



® Working software 



® Comprehensive 
documentation 



® Customer 
collaboration 



® Contract 



negotiation 



® Responding to change 



The SDL-Agile 



® Continuous, 
incremental effort 



® Automated tasks 



® Planned incident 
response 



Manifesto 



® Heroic pushes 



® Manual 

processes 



More Resources 



® http://www.microsoft.com/sdl 



® htto://bloas. msdn.com/sdl 



® My alias: bryansul 








Your potential. Our passion: 
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